From

Thank you

Sorry

Two weeks ago, I describe a true circumstance where a Hyper-V server was hacked (both a child VM and the parent system), and I was pulled in afterward to fix the resulting issues. The manner of the attack gave the appearance of a potential escape attack but without evidence this had occurred -- a mystery indeed.

Some folks at Microsoft read the article and offered to lend a hand in tracking down the cause of the hack. The investigation revealed several breaches of etiquette with regard to server security, especially in relation to Hyper-V. For starters, the parent system had additional software installed, including remote sharing application software called TeamViewer. Apparently the username and password for the administrator's account had been given out to others. Thus, the hack apparently was the result of a direct attack, not of the theoretical escape attack.

In addition, it appears that form of attack would not be possible with Hyper-V. Hyper-V is not susceptible to the guest-to-host escape vulnerability (aka a VM escape) that InfoWorld has described. The guest-to-host escape vulnerability applies only to virtualization frameworks (such as in Xen and EMC VMware) with operation modes that do not use hardware virtualization extensions but instead operate through techniques such as ring deprivileging to perform machine virtualization.

Unlike Xen and VMware, Hyper-V requires Intel VT-x and AMD-V hardware virtualization extensions, and it will not function on systems without hardware support for virtualization. It's not at risk for the guest-to-host escape attack. (CERT KB 649219 describes the patches from Red Hat and Xen to address the VM escape issue on their virtualization platforms.)

Ring deprivileging enables machine virtualization on systems that do not offer hardware extensions for virtualization by allowing the guest operating system to be run at a ring higher than 0 to accommodate the virtual machine monitor in ring 0. Additionally, methods such as binary translation are used to rewrite ring 0 instructions in terms of ring 3 instructions to enable traps and emulate virtualization. This is done because some ring 0 instructions behave differently when executed outside of ring 0, complicating trap and emulate virtualization.

Although Hyper-V isn't susceptible to this issue resulting in a guest-to-host escape, 64-bit versions of Windows 7 and Windows Server 2008 R2 could have an issue that in turn could result in an elevation of privilege within a Hyper-V VM or on a physical server. This privilege escalation issue within Windows guest VMs (also described in CERT KB 649219) was addressed in a security update for all affected Windows operating systems in June 2012.

Thus, when it comes to the escape attacks:

A Hyper-V host isn't susceptible to the VM guest-to-host issues because it uses hardware virtualization extensions. Other hypervisors that don't require hardware virtualization extensions are susceptible, and admins should check to see if a patch is needed.

Windows running within the VM could be susceptible to an elevation of privilege within the VM. Be sure you've applied that June 2012 security update to patch that flaw.

The mystery about who hacked this server continues. However, my immediate focus with the client is to ensure that it follows best practices from now on to ensure such a hack doesn't happen again. I'm starting with a freshly installed parent Hyper-V system running Windows Server 2012 R2 (with all the latest updates) and with no additional software installed on that parent system. Credentials for the parent system will not carry over to the VMs running on it, and I'll be the only one who knows the administrative access credentials to the parent system.

J. Peter Bruzzese is a five-time-awarded Microsoft MVP (current technical expertise Office 365, previous four years Exchange). He is a technical speaker and author with more than a dozen books sold internationally. He's the cofounder of ClipTraining, the creator of ConversationalGeek.com, instructor on Exchange/Office 365 video content for Pluralsight, and a consultant for a variety of companies.